COMP 3000 Operating Systems
Kernel Modules (part 1)
Lianying Zhao
When do We Need to Modify the Kernel?
• We need to change/improve the kernel functionality
• E.g., adding support for new devices, new file systems, and ad-hoc changes
• Security
• We see some security issue/vulnerability, and addressing it needs kernel
support
• Recall: Address space layout randomization (ASLR)
• This is just a choice in many cases
• What about offloading to userspace, e.g., FUSE? • Microkernels
COMP 3000 (Winter 2021) 2
Kernel Modules vs. Device Drivers
• Statically built kernel code = kernel image (e.g., /boot/vmlinuz) • Dynamically built kernel code = kernel module
• Device driver = kernel code that operates or controls a particular type of device
• A device driver can be either part of the kernel image or a kernel module
COMP 3000 (Winter 2021) 3
Kernel Modules vs. Device Drivers (CONT’d)
• A kernel module does not need to be a device driver • You just don’t create/manipulate a device
• A device-neutral OS
• This means other OS components need to care less about where they reside
(i.e., for the OS itself!)
• So, device drivers are also a way of creating abstractions
• Studies of the Linux kernel reveal that over 70% of OS code is found in device drivers*
• On disk vs. in memory vs. active/running
* “An Empirical Study of Operating System Errors” by Andy Chou, Junfeng Yang, Benjamin Chelf, Seth Hallem, Dawson Engler. SOSP ’01.
COMP 3000 (Winter 2021) 4
Implications of Using Kernel Modules
• In the case of open-source OSes, often community contributors are not full-time OS kernel developers
• We have isolated address spaces for individual user processes, but now there’s just one kernel space
• Stability
• No more “segmentation fault” but only “kernel panic”
• Security
• Not in terms of compromised code (e.g., malware infection) • But vulnerable code
COMP 3000 (Winter 2021) 5
How do We Prevent Undesired Kernel Modifications?
• First of all: inserting a kernel module requires root privilege • Secure Boot
• But only at boot time, and thereafter depends on kernel support
• Kernel module signing
• With kernel command line option: module.sig_enforce=1 • Tainted kernels (optional reading)
• Compare with: Windows Driver Signature Enforcement
COMP 3000 (Winter 2021) 6
Now Recall: Root vs. Kernel
• The root user is just a user with the max power granted • Note a user is just a label/number to the kernel
• Kernel code => privileged code => x86 Ring 0
• So the root user issues are to do with authorization
• Why is the root user authorized to do so much
COMP 3000 (Winter 2021) 7